Adobe Flash Player Zero-Day Exploited in Attack Campaign

Adobe Systems released an emergency update today to address a security vulnerability in Adobe Flash Player that is being exploited in a large-scale phishing campaign.

The bug, CVE-2015-3113, is a heap buffer overflow issue. It was discovered by researchers at FireEye, who have linked it to attacks by the hacking crew APT3 that have targeted a number of industries, including the telecommunications, transportation and aerospace and defense sectors.

"Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks," Adobe stated in its advisory. "Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets."

According to FireEye, the attackers' emails contained links to compromised web servers that served either benign content or a malicious Adobe Flash Player file exploiting the bug.

"Upon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting JavaScript profiling scripts," FireEye researchers blogged. "Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system."

"The attack exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files," the researchers explained. "The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image."

APT3 has been linked to the use of browser-based zero-days in the past, and will typically dump credentials and move laterally across a compromised network to hit additional victims, the FireEye researchers added.

"Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack," said Clinton Karr, senior security strategist at Bromium. "Or test the patch to make sure it integrates with legacy systems. This latest zero-day and others before it could have been isolated in the first place. Only by isolating the threat are security and ops teams granted the grace period needed to test and deploy these critical patches."

"The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP," blogged Qualys CTO Wolfgang Kandek. "Patch as quickly as possible. 0-days once discovered this way tend to spread quickly to other cyber criminal groups. Adobe mentions that all known targets seem to use Windows 7 and Internet Explorer and Firefox on Windows XP, but we don't recommend holding back on patching even if you are running other configurations (hopefully not XP, though). Users of IE10/11 and Google Chrome will get their patches through their browsers directly, everybody else will need to download directly from Adobe."